Transparent sslh to ssh (get IPs for fail2ban or Match rules) - without iptables
| #from http://rutschle.net/pipermail/sslh/2018-April/000674.html | |
| verbose: 1; | |
| foreground: true; | |
| inetd: false; | |
| transparent: true; | |
| user: "sslh"; | |
| pidfile: "/var/run/sslh.pid"; | |
| syslog_facility: "auth"; | |
| listen: ({ host: "10.1.1.222"; port: "443"; }); | |
| protocols: ({ | |
| name: "ssh"; service: "ssh"; host: "127.0.0.2"; port: "22"; | |
| log_level: 5; | |
| }); | |
| [Unit] | |
| Description=SSL/SSH multiplexer | |
| After=network.target | |
| Documentation=man:sslh(8) | |
| [Service] | |
| Environment=SYSTEMD_LOG_LEVEL=debug | |
| ExecStart=/usr/sbin/sslh -F /etc/sslh/sslh.cfg | |
| KillMode=process | |
| PermissionsStartOnly=true | |
| # Add the ip rules and route to enable Transparent Proxy | |
| ExecStartPre=/sbin/ip rule add fwmark 0x1 lookup 100 | |
| ExecStartPre=/sbin/ip route add local 0.0.0.0/0 dev lo table 100 | |
| ExecStartPre=/sbin/ip rule add from 127.0.0.2/32 table 100 | |
| ExecStartPre=/sbin/ip route flush cache | |
| # Remove the ip rules and route to enable Transparent Proxy | |
| ExecStopPost=/sbin/ip rule del fwmark 0x1 lookup 100 | |
| ExecStopPost=/sbin/ip route del local 0.0.0.0/0 dev lo table 100 | |
| ExecStopPost=/sbin/ip rule del from 127.0.0.2/32 table 100 | |
| ExecStopPost=/sbin/ip route flush cache | |
| [Install] | |
| WantedBy=multi-user.target | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This comment has been minimized.
Notes: this is set up for some extra logging at the moment.
On Debian/Ubuntu, /etc/default/sslh is set up, /etc/sslh/sslh.cfg is not.
Use /usr/sbin/sslh -F /etc/sslh/sslh.cfg because debugging through journalctl is a pain